SEC Consult has confirmed with The Reg that the database is not accessible any more.

Worse yet, an attacker might be able to remotely turn on the device without the consent of the its owner, security researchers discovered. Non-consensual “tickling” could be carried out either against a nearby Bluetooth-based device or over the internet.

Based on app download figures, tens of thousands of users are potentially affected.

The research was carried out by Werner Schober in cooperation with security consultancy SEC Consult and the University of Applied Sciences St. PÃ¶lten, Austria.

The Vibratissimo Panty Buster, its associated iOS/Android application and the server backend had multiple vulnerabilities, including:

Customer database credential disclosure

Exposed administrative interfaces on the internet

Cleartext storage of passwords

Unauthenticated Bluetooth LE connections

Insufficient authentication mechanism

Insecure direct object reference

Missing authentication in remote control

Reflected cross-site scripting

SEC Consult contacted CERT-Bund (part of German Federal Office for Information Security) to help coordinate the disclosure process for the German vendor. Most of the most severe vulnerabilities have been addressed.

As a hotfix, the hardware manufacturer has already implemented a more secure pairing method in a new firmware version. According to claims by the researchers, however, the vendor had initially gone as far as to dispute whether hacker manipulation of other people’s devices was a problem before it made the fix. SEC Consult alleged the manufacturer had said it was even a “desired property of the sex toy”.

We’ve asked Amor Gummiwaren for comment.

This research was done as a part of a master’s thesis with the goal of reviewing multiple smart sex toys including several teledildonics devices. Â®